vault 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7c5b5358811dba9b5864bc118f19b2cb0c9b7925
-  data.tar.gz: 41acb15b4a2148910f3c7fb8a01f7b51ce31e8aa
+  metadata.gz: 59a8ecc9e18c8112104e721f65e10cd56377803c
+  data.tar.gz: 28937a7a2360736b70cbae0f53c7103659a6ade0
 SHA512:
-  metadata.gz: d6ec85927a497e7dcef985d8b32b59db6c5169c1c95820e311c3f3c6617c893e520c592b411806cf81a18d03d5a1dfab9988fb319a43330a4137d18dee7b61d0
-  data.tar.gz: 787597e6f6315e2620c766d5f83e625f520401399221bc0774d9f76b6a08d342baea5fe09d061fa6dc892876167af750800b7660dc6afff99abb15b025d6c33d
+  metadata.gz: 91b7a092f7dc019da3b410c744351686f146bd8c72d57f1a096f20e107df19ec9ef34b36125131d993d8539899713cdd014cfc98ac6b7e69a1f64729f1f982fb
+  data.tar.gz: 292bfa0003747c1e02cbe6ab3332e6a05b449db6d4f812d440864927f7c4f3b3dcd6ace36adc7574e9ac9849a32091c43d0b236765ed03e70c178a266677d961

data/.travis.yml

@@ -3,11 +3,10 @@ cache: bundler
 sudo: false
 
 env:
+  - VAULT_VERSION=0.6.2
   - VAULT_VERSION=0.6.1
   - VAULT_VERSION=0.6.0
   - VAULT_VERSION=0.5.3
-  - VAULT_VERSION=0.4.1
-  - VAULT_VERSION=0.3.1
 
 before_install:
   - wget -O vault.zip -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip

data/CHANGELOG.md

@@ -1,6 +1,22 @@
 # Vault Ruby Changelog
 
-## v0.6.0.dev (Unreleased)
+## v0.7.0 (October 18, 2016)
+
+DEPRECATIONS
+
+- Vault versions older than 0.5.3 are no longer tested
+
+NEW FEATURES
+
+- Add support for AppRole
+- Expose the auth/tune API
+- Add support for leader step down
+- Use persistent connections to Vault to speed up requests
+- Add support for a custom ssl certificate store
+
+BUG FIXES
+
+- Allow for spaces in secret names properly
 
 ## v0.6.0 (August 30, 2016)
 

data/lib/vault/api.rb

@@ -1,5 +1,6 @@
 module Vault
   module API
+    require_relative "api/approle"
     require_relative "api/auth_token"
     require_relative "api/auth_tls"
     require_relative "api/auth"

data/lib/vault/api/approle.rb

@@ -0,0 +1,218 @@
+require "json"
+
+require_relative "secret"
+require_relative "../client"
+require_relative "../request"
+require_relative "../response"
+
+module Vault
+  class Client
+    # A proxy to the {AppRole} methods.
+    # @return [AppRole]
+    def approle
+      @approle ||= AppRole.new(self)
+    end
+  end
+
+  class AppRole < Request
+    # Creates a new AppRole or update an existing AppRole with the given name
+    # and attributes.
+    #
+    # @example
+    #   Vault.approle.set_role("testrole", {
+    #     secret_id_ttl: "10m",
+    #     token_ttl:     "20m",
+    #     policies:      "default",
+    #     period:        3600,
+    #   }) #=> true
+    #
+    # @param [String] name
+    #   The name of the AppRole
+    # @param [Hash] options
+    # @option options [Boolean] :bind_secret_id
+    #   Require secret_id to be presented when logging in using this AppRole.
+    # @option options [String] :bound_cidr_list
+    #   Comma-separated list of CIDR blocks. Specifies blocks of IP addresses
+    #   which can perform the login operation.
+    # @option options [String] :policies
+    #   Comma-separated list of policies set on tokens issued via this AppRole.
+    # @option options [String] :secret_id_num_uses
+    #   Number of times any particular SecretID can be used to fetch a token
+    #   from this AppRole, after which the SecretID will expire.
+    # @option options [Fixnum, String] :secret_id_ttl
+    #   The number of seconds or a golang-formatted timestamp like "60m" after
+    #   which any SecretID expires.
+    # @option options [Fixnum, String] :token_ttl
+    #   The number of seconds or a golang-formatted timestamp like "60m" to set
+    #   as the TTL for issued tokens and at renewal time.
+    # @option options [Fixnum, String] :token_max_ttl
+    #   The number of seconds or a golang-formatted timestamp like "60m" after
+    #   which the issued token can no longer be renewed.
+    # @option options [Fixnum, String] :period
+    #   The number of seconds or a golang-formatted timestamp like "60m".
+    #   If set, the token generated using this AppRole is a periodic token.
+    #   So long as it is renewed it never expires, but the TTL set on the token
+    #   at each renewal is fixed to the value specified here. If this value is
+    #   modified, the token will pick up the new value at its next renewal.
+    #
+    # @return [true]
+    def set_role(name, options = {})
+      headers = extract_headers!(options)
+      client.post("/v1/auth/approle/role/#{encode_path(name)}", JSON.fast_generate(options), headers)
+      return true
+    end
+
+    # Gets the AppRole by the given name. If an AppRole does not exist by that
+    # name, +nil+ is returned.
+    #
+    # @example
+    #   Vault.approle.role("testrole") #=> #<Vault::Secret lease_id="...">
+    #
+    # @return [Secret, nil]
+    def role(name)
+      json = client.get("/v1/auth/approle/role/#{encode_path(name)}")
+      return Secret.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Gets the list of AppRoles in vault auth backend.
+    #
+    # @example
+    #   Vault.approle.roles #=> ["testrole"]
+    #
+    # @return [Array<String>]
+    def roles(options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/approle/role", options, headers)
+      return Secret.decode(json).data[:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+
+    # Reads the RoleID of an existing AppRole. If an AppRole does not exist by
+    # that name, +nil+ is returned.
+    #
+    # @example
+    #   Vault.approle.role_id("testrole") #=> #<Vault::Secret lease_id="...">
+    #
+    # @return [Secret, nil]
+    def role_id(name)
+      json = client.get("/v1/auth/approle/role/#{encode_path(name)}/role-id")
+      return Secret.decode(json).data[:role_id]
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Updates the RoleID of an existing AppRole to a custom value.
+    #
+    # @example
+    #   Vault.approle.set_role_id("testrole") #=> true
+    #
+    # @return [true]
+    def set_role_id(name, role_id)
+      options = { role_id: role_id }
+      client.post("/v1/auth/approle/role/#{encode_path(name)}/role-id", JSON.fast_generate(options))
+      return true
+    end
+
+    # Deletes the AppRole with the given name. If an AppRole does not exist,
+    # vault will not return an error.
+    #
+    # @example
+    #   Vault.approle.delete_role("testrole") #=> true
+    #
+    # @param [String] name
+    #   the name of the certificate
+    def delete_role(name)
+      client.delete("/v1/auth/approle/role/#{encode_path(name)}")
+      return true
+    end
+
+    # Generates and issues a new SecretID on an existing AppRole.
+    #
+    # @example Generate a new SecretID
+    #   result = Vault.approle.create_secret_id("testrole") #=> #<Vault::Secret lease_id="...">
+    #   result.data[:secret_id] #=> "841771dc-11c9-bbc7-bcac-6a3945a69cd9"
+    #
+    # @example Assign a custom SecretID
+    #   result = Vault.approle.create_secret_id("testrole", {
+    #     secret_id: "testsecretid"
+    #   }) #=> #<Vault::Secret lease_id="...">
+    #   result.data[:secret_id] #=> "testsecretid"
+    #
+    # @param [String] role_name
+    #   The name of the AppRole
+    # @param [Hash] options
+    # @option options [String] :secret_id
+    #   SecretID to be attached to the Role. If not set, then the new SecretID
+    #   will be generated
+    # @option options [Hash<String, String>] :metadata
+    #   Metadata to be tied to the SecretID. This should be a JSON-formatted
+    #   string containing the metadata in key-value pairs. It will be set on
+    #   tokens issued with this SecretID, and is logged in audit logs in
+    #   plaintext.
+    #
+    # @return [true]
+    def create_secret_id(role_name, options = {})
+      headers = extract_headers!(options)
+      if options[:secret_id]
+        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/custom-secret-id", JSON.fast_generate(options), headers)
+      else
+        json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", JSON.fast_generate(options), headers)
+      end
+      return Secret.decode(json)
+    end
+
+    # Reads out the properties of a SecretID assigned to an AppRole.
+    # If the specified SecretID don't exist, +nil+ is returned.
+    #
+    # @example
+    #   Vault.approle.role("testrole", "841771dc-11c9-...") #=> #<Vault::Secret lease_id="...">
+    #
+    # @param [String] role_name
+    #   The name of the AppRole
+    # @param [String] secret_id
+    #   SecretID belonging to AppRole
+    #
+    # @return [Secret, nil]
+    def secret_id(role_name, secret_id)
+      opts = { secret_id: secret_id }
+      json = client.post("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/lookup", JSON.fast_generate(opts), {})
+      return nil unless json
+      return Secret.decode(json)
+    rescue HTTPError => e
+      if e.code == 404 || e.code == 405
+        begin
+          json = client.get("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id/#{encode_path(secret_id)}")
+          return Secret.decode(json)
+        rescue HTTPError => e
+          return nil if e.code == 404
+          raise e
+        end
+      end
+
+      raise
+    end
+
+    # Lists the accessors of all the SecretIDs issued against the AppRole.
+    # This includes the accessors for "custom" SecretIDs as well. If there are
+    # no SecretIDs against this role, an empty array will be returned.
+    #
+    # @example
+    #   Vault.approle.secret_ids("testrole") #=> ["ce102d2a-...", "a1c8dee4-..."]
+    #
+    # @return [Array<String>]
+    def secret_id_accessors(role_name, options = {})
+      headers = extract_headers!(options)
+      json = client.list("/v1/auth/approle/role/#{encode_path(role_name)}/secret-id", options, headers)
+      return Secret.decode(json).data[:keys] || []
+    rescue HTTPError => e
+      return [] if e.code == 404
+      raise
+    end
+  end
+end

data/lib/vault/api/auth.rb

@@ -74,6 +74,30 @@ module Vault
       return secret
     end
 
+    # Authenticate via the "approle" authentication method. If authentication is
+    # successful, the resulting token will be stored on the client and used for
+    # future requests.
+    #
+    # @example
+    #   Vault.auth.approle(
+    #     "db02de05-fa39-4855-059b-67221c5c2f63",
+    #     "6a174c20-f6de-a53c-74d2-6018fcceff64",
+    #   ) #=> #<Vault::Secret lease_id="">
+    #
+    # @param [String] role_id
+    # @param [String] secret_id (default: nil)
+    #   It is required when `bind_secret_id` is enabled for the specified role_id
+    #
+    # @return [Secret]
+    def approle(role_id, secret_id=nil)
+      payload = { role_id: role_id }
+      payload[:secret_id] = secret_id if secret_id
+      json = client.post("/v1/auth/approle/login", JSON.fast_generate(payload))
+      secret = Secret.decode(json)
+      client.token = secret.auth.client_token
+      return secret
+    end
+
     # Authenticate via the "userpass" authentication method. If authentication
     # is successful, the resulting token will be stored on the client and used
     # for future requests.
@@ -93,7 +117,7 @@ module Vault
     # @return [Secret]
     def userpass(username, password, options = {})
       payload = { password: password }.merge(options)
-      json = client.post("/v1/auth/userpass/login/#{CGI.escape(username)}", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/userpass/login/#{encode_path(username)}", JSON.fast_generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret
@@ -115,7 +139,7 @@ module Vault
     # @return [Secret]
     def ldap(username, password, options = {})
       payload = { password: password }.merge(options)
-      json = client.post("/v1/auth/ldap/login/#{CGI.escape(username)}", JSON.fast_generate(payload))
+      json = client.post("/v1/auth/ldap/login/#{encode_path(username)}", JSON.fast_generate(payload))
       secret = Secret.decode(json)
       client.token = secret.auth.client_token
       return secret

data/lib/vault/api/auth_tls.rb

@@ -42,7 +42,7 @@ module Vault
     # @return [true]
     def set_certificate(name, options = {})
       headers = extract_headers!(options)
-      client.post("/v1/auth/cert/certs/#{CGI.escape(name)}", JSON.fast_generate(options), headers)
+      client.post("/v1/auth/cert/certs/#{encode_path(name)}", JSON.fast_generate(options), headers)
       return true
     end
 
@@ -54,7 +54,7 @@ module Vault
     #
     # @return [Secret, nil]
     def certificate(name)
-      json = client.get("/v1/auth/cert/certs/#{CGI.escape(name)}")
+      json = client.get("/v1/auth/cert/certs/#{encode_path(name)}")
       return Secret.decode(json)
     rescue HTTPError => e
       return nil if e.code == 404
@@ -85,7 +85,7 @@ module Vault
     # @param [String] name
     #   the name of the certificate
     def delete_certificate(name)
-      client.delete("/v1/auth/cert/certs/#{CGI.escape(name)}")
+      client.delete("/v1/auth/cert/certs/#{encode_path(name)}")
       return true
     end
   end

data/lib/vault/api/auth_token.rb

@@ -95,7 +95,7 @@ module Vault
     # @return [Secret]
     def create_with_role(name, options = {})
       headers = extract_headers!(options)
-      json = client.post("/v1/auth/token/create/#{CGI.escape(name)}", JSON.fast_generate(options), headers)
+      json = client.post("/v1/auth/token/create/#{encode_path(name)}", JSON.fast_generate(options), headers)
       return Secret.decode(json)
     end
 
@@ -108,7 +108,7 @@ module Vault
     #
     # @return [Secret]
     def lookup(token)
-      json = client.get("/v1/auth/token/lookup/#{CGI.escape(token)}")
+      json = client.get("/v1/auth/token/lookup/#{encode_path(token)}")
       return Secret.decode(json)
     end
 

data/lib/vault/api/help.rb

@@ -26,7 +26,7 @@ module Vault
     #
     # @return [Help]
     def help(path)
-      json = self.get("/v1/#{CGI.escape(path)}", help: 1)
+      json = self.get("/v1/#{EncodePath.encode_path(path)}", help: 1)
       return Help.decode(json)
     end
   end

data/lib/vault/api/logical.rb

@@ -25,7 +25,7 @@ module Vault
     # @return [Array<String>]
     def list(path, options = {})
       headers = extract_headers!(options)
-      json = client.list("/v1/#{CGI.escape(path)}", {}, headers)
+      json = client.list("/v1/#{encode_path(path)}", {}, headers)
       json[:data][:keys] || []
     rescue HTTPError => e
       return [] if e.code == 404
@@ -44,7 +44,7 @@ module Vault
     # @return [Secret, nil]
     def read(path, options = {})
       headers = extract_headers!(options)
-      json = client.get("/v1/#{CGI.escape(path)}", {}, headers)
+      json = client.get("/v1/#{encode_path(path)}", {}, headers)
       return Secret.decode(json)
     rescue HTTPError => e
       return nil if e.code == 404
@@ -65,7 +65,7 @@ module Vault
     # @return [Secret]
     def write(path, data = {}, options = {})
       headers = extract_headers!(options)
-      json = client.put("/v1/#{CGI.escape(path)}", JSON.fast_generate(data), headers)
+      json = client.put("/v1/#{encode_path(path)}", JSON.fast_generate(data), headers)
       if json.nil?
         return true
       else
@@ -84,7 +84,7 @@ module Vault
     #
     # @return [true]
     def delete(path)
-      client.delete("/v1/#{CGI.escape(path)}")
+      client.delete("/v1/#{encode_path(path)}")
       return true
     end
 

data/lib/vault/api/sys/audit.rb

@@ -51,7 +51,7 @@ module Vault
     #
     # @return [true]
     def enable_audit(path, type, description, options = {})
-      client.put("/v1/sys/audit/#{CGI.escape(path)}", JSON.fast_generate(
+      client.put("/v1/sys/audit/#{encode_path(path)}", JSON.fast_generate(
         type:        type,
         description: description,
         options:     options,
@@ -67,7 +67,7 @@ module Vault
     #
     # @return [true]
     def disable_audit(path)
-      client.delete("/v1/sys/audit/#{CGI.escape(path)}")
+      client.delete("/v1/sys/audit/#{encode_path(path)}")
       return true
     end
   end

data/lib/vault/api/sys/auth.rb

@@ -13,6 +13,18 @@ module Vault
     field :type
   end
 
+  class AuthConfig < Response
+    # @!attribute [r] default_lease_ttl
+    #   The default time-to-live.
+    #   @return [String]
+    field :default_lease_ttl
+
+    # @!attribute [r] max_lease_ttl
+    #   The maximum time-to-live.
+    #   @return [String]
+    field :max_lease_ttl
+  end
+
   class Sys
     # List all auths in Vault.
     #
@@ -45,7 +57,7 @@ module Vault
       payload = { type: type }
       payload[:description] = description if !description.nil?
 
-      client.post("/v1/sys/auth/#{CGI.escape(path)}", JSON.fast_generate(payload))
+      client.post("/v1/sys/auth/#{encode_path(path)}", JSON.fast_generate(payload))
       return true
     end
 
@@ -60,8 +72,45 @@ module Vault
     #
     # @return [true]
     def disable_auth(path)
-      client.delete("/v1/sys/auth/#{CGI.escape(path)}")
+      client.delete("/v1/sys/auth/#{encode_path(path)}")
       return true
     end
+
+    # Read the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github") #=> #<Vault::AuthConfig "default_lease_ttl"=3600, "max_lease_ttl"=7200>
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def auth_tune(path)
+      json = client.get("/v1/sys/auth/#{encode_path(path)}/tune")
+      return AuthConfig.decode(json)
+    rescue HTTPError => e
+      return nil if e.code == 404
+      raise
+    end
+
+    # Write the given auth path's configuration.
+    #
+    # @example
+    #   Vault.sys.auth_tune("github", "default_lease_ttl" => 600, "max_lease_ttl" => 1200 ) #=>  true
+    #
+    # @param [String] path
+    #   the path to retrieve configuration for
+    #
+    # @return [AuthConfig]
+    #   configuration of the given auth path
+    def put_auth_tune(path, config = {})
+      json = client.put("/v1/sys/auth/#{encode_path(path)}/tune", JSON.fast_generate(config))
+      if json.nil?
+        return true
+      else
+        return Secret.decode(json)
+      end
+    end
   end
 end